see inline.
Johan Stenstam wrote on 2023-10-25 01:09:
Greetings Working Group,
As many of you are aware Peter Thomassen, John Levine and I have been working
on the generalised notifications for a while. The key idea there is obviously
that a NOTIFY(CDS) or NOTIFY(CSYNC) sent from the child to the parent scanner
will allow the scanner to fast track the scan of that particular child thereby
making everything converge faster and presumably make the child happier.
But scanners still suck in general.
can you more closely define "scan" in this context? i would expect a
query for the notified type at the notified name, but not some kind of
enumeration of multiple possibilities.
So now there’s a new draft, that further extends the same core idea (locate the
target for the information being sent via a DNS lookup in the parent zone).
However, the new draft (draft-johani-dnsop-delegation-mgmt-via-ddns-00)
proposes that instead of sending a NOTIFY (triggering a scan from the
recipient) the child sends a DNS UPDATE containing the exact change with a
signature that can be verified by the recipient.
The recipient is typically not the primary name server for the parent, but
rather a small service that does the same policy verifications, etc, that a
scanner would do before committing the change.
i am uncomfortable using the UPDATE RCODE for a purpose unrelated to
zone modification. perhaps propose a new RCODE having the same message
form as UPDATE?
There are two key advantages to this alternative:
1. ...
2. No requirement for DNSSEC. Great as DNSSEC is, being able to automate the
management of delegation information for *all* zones, regardless of whether the
parent is signed or not, regardless of whether the child is signed or not, is
an advantage.
some years back this working group adopted a ubiquity regime for DNSSEC
in that all new specifications "must" expect DNSSEC to be in use and
"should" depend on it when in-scope functionality is needed. has that
changed?
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
